Is the security system that enforces the security policy working properly or it doesn’t manage its functions?
What is the real effectiveness of existing security tools?
Run an attack simulation
Assess controls to identify security gaps
Fix it with effective recommendations